Analysis

  • max time kernel
    92s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/09/2024, 00:56 UTC

General

  • Target

    eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe

  • Size

    217KB

  • MD5

    eec4b4c99ef12c3af34dbceb9bba0bd3

  • SHA1

    5cdb384dc1b13b32fccb078093b8e7ea25c68053

  • SHA256

    980d2ecca216194eb70a3cb502f039589f9a0c2b4fb37392c19144527423ea55

  • SHA512

    92b3947cf1296b7fa9a899c4552ac74c406adda9df174155169f957e1c10a68c49dc856edb95ef25de1ea2e3bfa828f5e121415e3f1cb3587e49f89e9d55226b

  • SSDEEP

    6144:OQVHddxtFrchQzcp63BkJhysb6PAE30aT:t59tFrcagQMynB

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Hide Artifacts: Hidden Files and Directories 1 TTPs 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2280
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c cmd /c cmd /c move /y "C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe" "C:\Program Files\Common Files\Boot\svhost.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:220
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c cmd /c move /y "C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe" "C:\Program Files\Common Files\Boot\svhost.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2656
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c move /y "C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe" "C:\Program Files\Common Files\Boot\svhost.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: RenamesItself
          PID:2608
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add "hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon" /v shell /t reg_sz /d "C:\Program Files\Common Files\Boot\svhost.exe" /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5056
      • C:\Windows\SysWOW64\reg.exe
        reg add "hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon" /v shell /t reg_sz /d "C:\Program Files\Common Files\Boot\svhost.exe" /f
        3⤵
        • Modifies WinLogon for persistence
        • System Location Discovery: System Language Discovery
        PID:392
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add "hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon " /v shell /t reg_sz /d "C:\Program Files\Common Files\Boot\svhost.exe" /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4560
      • C:\Windows\SysWOW64\reg.exe
        reg add "hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon " /v shell /t reg_sz /d "C:\Program Files\Common Files\Boot\svhost.exe" /f
        3⤵
        • Modifies WinLogon for persistence
        • System Location Discovery: System Language Discovery
        PID:5004
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2840
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:4832
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t reg_dword /d "1" /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3188
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t reg_dword /d "1" /f
        3⤵
        • Disables RegEdit via registry modification
        • System Location Discovery: System Language Discovery
        PID:1692
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2568
      • C:\Windows\SysWOW64\reg.exe
        reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • Impair Defenses: Safe Mode Boot
        • System Location Discovery: System Language Discovery
        PID:1648
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Program Files\Common Files\Boot\svhost.exe"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:940
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Program Files\Common Files\Boot\svhost.exe"
        3⤵
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:4892
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Program Files\Common Files\Boot"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4944
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Program Files\Common Files\Boot"
        3⤵
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:744

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    77.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    77.190.18.2.in-addr.arpa
    IN PTR
    Response
    77.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-77deploystaticakamaitechnologiescom
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    76.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    76.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    149.220.183.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    149.220.183.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    196.249.167.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    196.249.167.52.in-addr.arpa

  • 8.8.8.8:53
    77.190.18.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    77.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    76.32.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    76.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    149.220.183.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    149.220.183.52.in-addr.arpa

  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
    156 B
    1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2280-0-0x0000000000400000-0x0000000000D57000-memory.dmp

    Filesize

    9.3MB

  • memory/2280-1-0x0000000000DF0000-0x0000000000DF2000-memory.dmp

    Filesize

    8KB

  • memory/2280-2-0x0000000000400000-0x0000000000D57000-memory.dmp

    Filesize

    9.3MB

  • memory/2280-4-0x0000000000400000-0x0000000000D57000-memory.dmp

    Filesize

    9.3MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.